Anti-DDoS Advanced provides advanced protection policies against DDoS attacks. You can adjust and optimize the DDoS protection policy as required through blocklists/allowlists, disabling protocols, disabling (discarding) or opening ports, packet characteristic filtering, connection flood protection, and watermark protection.
Configuration Item | Description | Effective Time |
---|---|---|
Blocklist/Allowlist | It is IP-based protection.
|
It takes effect immediately when the protected IPs are under attack. |
Disabled protocol | It disables a protocol not used by the business. If attacks are detected, the Anti-DDoS cluster will cleanse the traffic under the protocol. |
It takes effect immediately when the protected IPs are under attack. |
Disabled (discarded) or passed port | You can disable or pass traffic from the specified type of ports. | When an attack is detected, the Anti-DDoS cluster will cleanse (or pass) the traffic on the specified port or specified port range. |
Packet filter characteristic | It combines multiple criteria to set policy operations, such as the protocol, port range, packet range, whether to detect load, offset, detection depth, and whether to include characteristic strings based on the business or attack packets. If the packets match the policy criteria, operations such as direct forwarding, discarding, source IP blocking, or disconnecting can be executed. |
It takes effect immediately when the protected IPs are under attack. |
Speed limit | It is IP-based protection and limits the speed of the access protocol. | It takes effect immediately when the protected IPs are under attack. |
Reject traffic from outside China | It rejects TCP traffic requests from outside China (including Mainland China, Hong Kong, Macao, and Taiwan). | It takes effect when the protected IPs are under attack. |
Connection flood protection | It is IP-based protection, which limits the speed, packet length, and other parameters of connections accessing non-website IPs protected by Anti-DDoS Advanced to protect against light traffic connection attacks. | It takes effect immediately when the protected IPs are under attack. |
Exceptional connection detection | When a source IP receives a TCP connection meeting the configured parameter characteristics, the connection will be regarded as exceptional. If the amount of exceptional connections received by the source IP exceeds the maximum allowable number, the IP will be added to the blocklist for a certain period and will not be accessible. | It takes effect immediately when the protected IPs are under attack. |
Watermark protection | It supports UDP and TCP packets. Watermark detection and stripping will be executed for the payloads within the configured port range. Watermark protection can protect against layer-4 CC attacks, such as forged business packet attacks and replay attacks.
|
It takes effect immediately when the protected IPs are under attack. |
Configuration of advanced protection policy requires technical expertise. You are recommended to read the operation guide before configuring policies as needed.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Add Policy. Configure the following parameters as needed and click OK.
Policy Name
Enter a policy name containing 1–32 characters of any type.
Blocklist/Allowlist
You can add up to 100 IPs for the blocklist and allowlist. The number of IPs to be added in batches cannot exceed the current available quota.
Disabled Protocol
Select the protocol to be disabled. The speed of ICMP, TCP, UDP and other protocols can be limited.
Port Number
Select the protocol and port type, enter the corresponding port, and choose the discarding or passing action according to your business needs. If you need to configure a continuous port range, you can use the "start port-end port" format.
Packet Filter Characteristic
Set conditions such as the protocol, port range, packet length, payload detection, offset, detection depth, and characteristic strings and configure the action to be taken for immediate effect.
- Offset: specifies the start position of the matched characteristics in the packet.
- Detection depth: specifies the packet length from the position set by the offset to the end of the matching content. It is used with the offset.
- Policy:
- "Discard packet": discards the data packet matching the packet filter characteristic.
- "Discard packet and block source IP": discards the data packet matching the packet filter characteristics and temporarily blocks the source IP.
- "Discard packet and disconnect": discards the data packet matching the packet filter characteristics and closes the TCP connection.
- Discard packet, disconnect, and block source IP: discards the data packet matching the packet filter characteristics, closes the TCP connection, and temporarily blocks the source IP.
- Directly forward: directly forwards the data packets matching the packet filter characteristics.
Speed Limit
Click Add, select the protocol for speed limit, and then set the limit threshold. The speed of ICMP, TCP, UDP, and other protocols can be limited.
Reject Traffic from Outside China
Select "Enable" or "Disable". The protection engine of Anti-DDoS Advanced is embedded with an IP library containing IPs from outside China. If you enable this feature, source IPs in the library will be rejected. The Enable operation takes effect when attacks occur. The Disable operation takes effect immediately.
Connection Flood Protection
Exceptional Connection Detection
The following parameters can be configured only if Maximum Number of Exceptional Source IP Connections is enabled.
TCP Protection Port and UDP Protection Port
A TCP/UDP protection port can be configured with up to 5 port ranges. Different port ranges cannot overlap one another. If the starting and ending port numbers are the same, a range will be considered as one port. You need to configure at least one of the TCP or UDP port ranges.
Only when the UDP protocol port range is configured can UDP watermark be removed. You can also specify the offset of the watermark tag in the UDP packet.
UDP Watermark Removal
Select Automatically Remove UDP Packet Watermark. After the data packet passes through the security protection system, the watermark in a UDP packet will be automatically removed and then transferred to the real server.
If the Anti-DDoS system is not required to remove the UDP watermark, then the client needs to be modified for watermark removal.
Offset
Specify the offset of the watermark tag in the UDP packet. The default value is 0, and the value range is 0–99. The offset only works after UDP watermark removal is enabled.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Bind Resource next to the target policy.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Download Client Watermark File next to the target policy to add the watermark to the client offline.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Watermark Key Configuration next to the target policy.
At most 2 keys can exist at one time. If you need to add more keys, please delete an existing one first. If only one key is activated, you cannot disable or delete it.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Configuration next to the target policy. Update the following parameters as required, and then click OK.
You cannot modify a policy name in the "scenario name_policy_No." format.
Log in to the Anti-DDoS Console and select Anti-DDoS Advanced > Protection Configuration. On the Advanced DDoS Protection Policy tab, click Delete next to the target policy. In the pop-up dialog box, click OK.
Was this page helpful?